b'          Office of Audits\n          Office of Inspector General\n          U.S. General Services Administration\n\n\n\n\n           FY 2012 Office of Inspector\n           General FISMA Audit of GSA\xe2\x80\x99s\n           Information Technology\n           Security Program\n           Report Number A120125/O/F/F12005\n           September 28, 2012\n\n\n\n\nA120125/O/F/F12005\n\x0c                     Office of Audits\n                     Office of Inspector General\n                     U.S. General Services Administration\n\n\n                                      REPORT ABSTRACT\n                              FY 2012 Office of Inspector General FISMA Audit of GSA\xe2\x80\x99s\nOBJECTIVE                     Information Technology Security Program\nThe objective of this audit   Report Number A120125/O/F/F12005\nwas to determine if GSA       September 28, 2012\ndeveloped, documented,\n                              WHAT WE FOUND\nand implemented a\n                              We identified the following during our audit:\ncomprehensive agency-\nwide information security     Finding 1 \xe2\x80\x93 Systems faced increased threats because security\nprogram that addresses        patching for high-risk vulnerabilities were not performed timely.\nrisks in the current          Finding 2 \xe2\x80\x93 For newly deployed systems, PBS lacks procedures to\ninformation technology        ensure that system officials will be able to recover data and restore the\n                              system in the event of a contingency.\nenvironment. If not, what\nadditional actions are        Finding 3 \xe2\x80\x93 The Office of the Chief Information Officer (OCIO) lacks\nneeded to strengthen          comprehensive guidance for the secure development of mobile\n                              applications to mitigate mobile threats.\nGSA\xe2\x80\x99s Information\nTechnology Security           WHAT WE RECOMMEND\nProgram and protect the       Based on our audit findings we recommend the GSA Chief Information\nconfidentiality, integrity,   Officer (CIO):\nand availability of GSA\xe2\x80\x99s     1. Conduct additional oversight of patch management\nsystems and data?                implementations to ensure that system officials are addressing\n                                 vulnerabilities on GSA systems in a timely manner.\n                              2. Work with PBS to ensure that PBS develops and implements a\n                                 process for testing the restoration of system backups before new\n                                 systems are deployed.\n                              3. Create guidance to assist GSA system officials in securely\n                                 developing applications for mobile platforms.\n\nFinance & Information         MANAGEMENT COMMENTS\nTechnology Audit Office\n1275 First Street, NE,        Management agreed with our findings and recommendations. The\nRoom 227                      GSA CIO\xe2\x80\x99s complete response is presented in Appendix B.\nWashington DC 20002\n202-357-3620\n\n\n\n\n      A120125/O/F/F12005                        i\n\x0c                  Office of Audits\n                  Office of Inspector General\n                  U.S. General Services Administration\n\n DATE:            September 28, 2012\n TO:              Casey Coleman\n                  Chief Information Officer (I)\n\n FROM:            William Salamon\n                  Audit Manager, (JA-F)\n SUBJECT:         FY 2012 Office of Inspector General FISMA Audit of GSA\xe2\x80\x99s\n                  Information Technology Security Program\n                  A120125/O/F/F12005\n\nThis report presents the results of our FY 2012 Office of Inspector General FISMA Audit\nof GSA\xe2\x80\x99s Information Technology Security Program. Our findings and recommendations\nare summarized in the Report Abstract. Instructions regarding the audit resolution\nprocess can be found in the email that transmitted this report.\n\nYour written comments to the draft report are included in Appendix B of this report.\n\nIf you have any questions regarding this report, please contact me or the Auditor-in-\nCharge at the following:\n\n William Salamon      Audit Manager     william.salamon@gsaig.gov (202) 357-3634\n Terry Williams       Auditor-in-Charge terry.williams@gsaig.gov  (202) 357-3641\n\nOn behalf of the audit team, I would like to thank you and your staff for your assistance\nduring this audit.\n\n\n\n\nA120125/O/F/F12005                       ii\n\x0cTable of Contents\nIntroduction .............................................................................................................. 1\n\nResults\nFinding 1 \xe2\x80\x93 Systems faced increased threats because security patching for high-risk\n            vulnerabilities were not performed timely ................................................ 2\nFinding 2 \xe2\x80\x93 For newly deployed systems, PBS lacks procedures to ensure that\n            system officials will be able to recover data and restore the system in the\n            event of a contingency ............................................................................ 2\nFinding 3 \xe2\x80\x93 The OCIO lacks comprehensive guidance for the secure development of\n            mobile applications to mitigate mobile threats ......................................... 3\nRecommendations ..................................................................................................... 3\nManagement Comments ............................................................................................ 4\n\n\nConclusion ................................................................................................................ 5\n\nAppendixes\nAppendix A \xe2\x80\x93 Purpose, Scope, and Methodology ............................................. A-1\nAppendix B \xe2\x80\x93 Management Comments .............................................................. B-1\nAppendix C \xe2\x80\x93 Report Distribution ....................................................................... C-1\n\n\n\n\nA120125/O/F/F12005                                        iii\n\x0cIntroduction\nThe General Services Administration\xe2\x80\x99s (GSA) Information Technology (IT) Security\nProgram provides guidance and oversight to protect GSA systems and data. The\nFederal Information Security Management Act of 2002 (FISMA) directs Inspectors\nGeneral to perform an annual independent evaluation of their respective agency\xe2\x80\x99s\ninformation technology security program and controls for select systems. This audit\nreport presents the results of the Office of Inspector General\xe2\x80\x99s fiscal year 2012 audit of\nGSA\xe2\x80\x99s IT Security Program and reflects results from evaluations of four selected\nsystems conducted during the year by our office.\n\nAccording to FISMA, the Office of Management and Budget is responsible for\nsummarizing the results of agency evaluations in a report to Congress. For fiscal year\n2012 reporting, Inspectors General are required to assess agency information security\nperformance in key areas, including risk management, configuration management,\nremote access management, incident response and reporting, and identity and access\nmanagement.\n\nThe objective of this audit was to determine if GSA developed, documented, and\nimplemented a comprehensive agency-wide information security program that\naddresses risks in the current IT environment. If not, what additional actions are needed\nto strengthen GSA\xe2\x80\x99s IT Security Program and protect the confidentiality, integrity, and\navailability of GSA\xe2\x80\x99s systems and data?\n\nSee Appendix A \xe2\x80\x93 Purpose, Scope, and Methodology for additional details.\n\n\n\n\nA120125/O/F/F12005                      1\n\x0cResults\nFinding 1 \xe2\x80\x93 Systems faced increased threats because security patching for high-\nrisk vulnerabilities were not performed timely.\n\nDuring the course of our audits, three of the systems we reviewed did not implement\nsystem security patches to address vulnerabilities consistent with GSA requirements.\nThe identification and remediation of known security threats via security patches\nattempts to prevent vulnerabilities from being exploited and compromised. Oftentimes,\nvendors are proactive in developing and releasing fixes to known vulnerabilities to the\npublic. To prevent exploitation, GSA system officials must ensure that they capture all\nrelevant fixes as they are released, test their implementation for adverse effects, and\nimplement them, if deemed appropriate, after testing is concluded. GSA requires all\nhigh-risk vulnerabilities to be mitigated within 30 days. For two systems, timely patching\nwas not completed because the organizations managing them have developed and\nimplemented patch management processes that exceeded GSA requirements, allowing\nsystem officials 60 days or more to resolve vulnerabilities. The third system had not\ncompleted adequate vulnerability scanning, resulting in multiple database patching-\nrelated vulnerabilities dating back to 2009.\n\nFinding 2 \xe2\x80\x93 For newly deployed systems, PBS lacks procedures to ensure that\nsystem officials will be able to recover data and restore the system in the event of\na contingency.\n\nPBS does not have assurance that newly deployed systems are recoverable from\nbackup media. According to the National Institute of Standards and Technologies\n(NIST) Special Publication (SP) 800-53, system officials must test backup information to\nverify media reliability and information integrity. 1 However, PBS does not ensure that\neach system is tested in the environment before they are deployed. Instead, PBS\nidentifies common platforms (operating systems and corresponding databases)\nthroughout the organization and annually tests one system for each standardized\nplatform as a representative sample. Residual risk remains to newly deployed systems,\nsince PBS lacks procedures to ensure that backups are properly written to disks or that\nother recovery methods are working prior to deployment.\n\nBackups are performed primarily for recovery purposes and therefore serve one of the\nkey elements of contingency planning. Without adequate testing, PBS has to rely on\nbackup methods that have not been tested to verify the reliability and integrity of the\ninformation to be restored for newly deployed systems. If these backup methods fail,\nadministrators would be unable to perform system restoration.\n\n\n\n1\n NIST SP 800-53, Recommended Security Controls for Federal Information Systems, Rev. 3, August\n2009\n\n\n\n\nA120125/O/F/F12005                          2\n\x0cFinding 3 \xe2\x80\x93 The OCIO lacks comprehensive guidance for the secure development\nof mobile applications to mitigate mobile threats.\n\nGSA has developed five custom mobile applications that it makes available to the\npublic. However, the GSA Office of the Chief Information Officer (OCIO) does not have\na specific policy or other guidance for the secure development of custom mobile\napplications. Specifically, the GSA OCIO does not outline the required controls and\nassessments that system security officials should perform to ensure that mobile\napplications (for both public and internal use) are secure before being put into\noperation. Instead of developing and enforcing pre-defined security requirements, GSA\nOCIO officials stated that they expect to be notified by system officials of development\nof mobile applications during the security assessment and authorization process. GSA\xe2\x80\x99s\napproach is reactive and relies upon (1) Apple\xe2\x80\x99s iOS and Google\xe2\x80\x99s Android platform\napplication evaluation procedures and (2) scanning of GSA mobile devices to identify\nany new mobile applications (whether developed by GSA or external parties).\n\nAccording to the NIST SP 800-53, the organization must manage the information\nsystem using a system development life cycle methodology that includes information\nsecurity considerations. Mobile platform risks differ from those associated with\ntraditional computing. These include poor session handling, reduced authorization and\nauthentication requirements, and increased potential for data leakage due to loss or\ntheft of devices. To prevent exploitation, security officials need to understand the\nadditional risks mobile applications introduce into the existing architecture. Without\nproper guidance, the development and deployment of GSA mobile applications can\noccur within GSA without adequate consideration for aspects of security that are not\npart of the platform vendor\xe2\x80\x99s mobile application evaluations. This could result in\ndegradation of confidentiality, availability, or integrity for entities interacting with the\napplication, including: GSA systems, GSA users, or the public.\n\nRecommendations\n\nBased on our audit findings we recommend the GSA Chief Information Officer:\n\n   1. Conduct additional oversight of patch management implementations to ensure\n      that system officials are addressing vulnerabilities on GSA systems in a timely\n      manner.\n\n   2. Work with PBS to ensure that PBS develops and implements a process for\n      testing the restoration of system backups before new systems are deployed.\n\n   3. Create guidance to assist GSA system officials in securely developing\n      applications for mobile platforms.\n\n\n\n\nA120125/O/F/F12005                       3\n\x0cManagement Comments\n\nManagement agreed with our findings and recommendations. The GSA CIO\xe2\x80\x99s complete\nresponse is presented in Appendix B.\n\n\n\n\nA120125/O/F/F12005                 4\n\x0cConclusion\nWe found that additional steps are needed to strengthen GSA\xe2\x80\x99s IT Security Program in\nthree key areas: (1) timely patching, (2) contingency plan testing for newly deployed\nsystems within PBS, and (3) policies for mobile application development.\n\nAdditional oversight of patching processes for GSA systems could reduce threats from\nknown security vulnerabilities. We also found that PBS needs to ensure that newly\ndeployed systems are recoverable from backup media. Finally, additional guidance is\nneeded to direct agency development of secure mobile applications. We believe that\nmaking the security improvements recommended in this report will better enable GSA\xe2\x80\x99s\nOCIO to ensure the confidentiality, availability, and integrity of the agency\xe2\x80\x99s systems\nand data.\n\n\n\n\nA120125/O/F/F12005                     5\n\x0cAppendix A \xe2\x80\x93 Purpose, Scope, and Methodology\nPurpose\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires an annual\nindependent evaluation of the General Services Administration\xe2\x80\x99s (GSA) Information\nTechnology (IT) Security Program. To meet the FISMA requirements, the Office of\nInspector General conducted an audit encompassing assessments of the security\nprogram and controls for select systems.\n\nScope\n\nThe audit\xe2\x80\x99s scope included assessments of controls for GSA\xe2\x80\x99s IT Security Program and\nreflects results from evaluations of four selected systems conducted throughout the\nfiscal year by our office. In addition, the scope includes evaluations of the Office of the\nChief Information Officer\xe2\x80\x99s oversight of the implementation of IT security controls for\nGSA systems and data.\n\nMethodology\n\nTo accomplish our objectives, we:\n\n   \xe2\x80\xa2    Met with GSA IT security officials in the Office of the GSA Chief Information\n        Officer, Federal Acquisition Service, and Public Buildings Service.\n   \xe2\x80\xa2    Applied the NIST Federal Information Processing Standards Publications and SP\n        800-series security guidelines.\n   \xe2\x80\xa2    Reviewed applicable information security regulations, policies, and guidance.\n   \xe2\x80\xa2    Assessed the results of the completed system security reviews for three systems.\n   \xe2\x80\xa2    Performed an assessment of select CyberScope questions for a fourth system by\n        examining the system assessment and authorization package, including the\n        system risk assessment, security plan, security assessment results, contingency\n        plan, and plan of action and milestones. To determine implementation of certain\n        CyberScope controls for the system, we chose a random sample of minor\n        applications.\n\nWe conducted the audit between April 2012 and August 2012 in accordance with\ngenerally accepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\nA120125/O/F/F12005                      A-1\n\x0cInternal Controls\n\nThis audit included a review of elements of GSA\xe2\x80\x99s IT Security Program, including select\nmanagement, operational, and technical controls for four GSA systems and the OCIO\xe2\x80\x99s\noversight of the implementation of IT security controls for GSA systems and data. We\ndid not test all controls across GSA. The Results and Recommendations sections of this\nreport state, in detail, the need to strengthen specific processes and controls\nestablished within the GSA IT Security Program.\n\n\n\n\nA120125/O/F/F12005                    A-2\n\x0cAppendix B \xe2\x80\x93 Management Comments\n\n\n\n\nA120125/O/F/F12005    B-1\n\x0cAppendix C \xe2\x80\x93 Report Distribution\nGSA Chief Information Officer (I)\nSenior Agency Information Security Officer (IS)\nCommissioner, Public Buildings Service (P)\nDivision Director, GAO/IG Audit Response Division (H1C)\nAudit Liaison, Office of the Chief Information Officer (I)\nAudit Liaison, Public Buildings Service (P)\nAssistant IG for Auditing (JA)\nDeputy Assistant IG for Investigations (JID)\nDirector, Audit Planning, Policy, and Operations Staff (JAO)\n\n\n\n\nA120125/O/F/F12005                       C-1\n\x0c'